The more I read ISO 27001 and ISO 27002 the more I ponder whether they really work in the way I would like them to.
Yes, they provide frameworks for managing IT risk but, at least in my decades of experience, the problems are:

* pragmatism: still far too much "security theatre" going on, we are still at the TSA stage of IT security,
* management buy-in: as long as the ISO 27001 certificate is obtained in some way or another the management is happy. The emphasis is "in some way" and, in the immortal Italian tradition, "fatta la legge trovato l'inganno"¹.

While I do appreciate that the deception of the law applies all over the place the security theatre part still irks me. The industry should by now be mature, the good ol' [Karger74]² is, well, old and yet it seems someone re-writes it on a semi-daily basis. Some of the stuff written in it should be blindingly obvious by now but no, not in ITsec.

I don't actually have a solution so I guess this has just turned into an "old man shouts at The Cloud" (this meme has been updated for 2023, unlike ITsec).

Go back to installing a root-privileged anti-virus, sorry "smart security agent", on your machine.

Love, ​

#ISO27001 #ISO27002 #ISOmyarse
__
¹ "law made, deception found" (although it sounds so much better in Italian)
² P. Karger and R. Schell, "Multics Security Evaluation: Vulnerability Analysis" https://csrc.nist.rip/publications/history/karg74.pdf (PDF)